Introduction

The examiner's primary goal in reviewing e-banking activities is
to determine whether the institution is providing e-banking
products and services in a safe and sound manner that supports
compliance with consumer-protection regulations. This determination
is based on whether the institution's risk management practices are
commensurate with the level of risk in its e-banking
activities.

The e-banking examination procedures are a tool to help
examiners reach conclusions regarding the effectiveness of an
institution's risk management of e-banking activities.
Examiners should use their judgment, consistent with the
institution's supervisory strategy, in selecting applicable
examination objectives and determining the need for specific
testing of controls. Examiners may rely on the work of
auditors and consultants deemed independent and competent in
establishing their examination scope.

The examination procedures that follow focus on the risks
inherent in the processes and technologies supporting e-banking
products and services. They supplement, but do not replace,
procedures from other IT Handbook booklets that apply to
general IT activities (e.g., program development and maintenance,
networking, information security, etc.). Depending on the scope of
coverage targeted, examiners should consider using these procedures
in combination with others from the IT Handbook and
related issuances.

The structure of the e-banking examination procedures parallels
the structure of the narrative portion of this booklet. The
procedures cover:

Setting the examination scope,

Evaluating board and management oversight,

Assessing the information security program,

Reviewing legal and compliance issues, and

Deriving exam conclusions.

Depending on the complexity of the institution's activities and
the scope of prior reviews, it is generally not necessary to
complete all of the examination objectives or procedures in order
to reach conclusions on the effectiveness of the financial
institution's risk management processes. The procedures are
designed for conducting targeted, integrated reviews of new or
significantly expanded e-banking services. However, for follow-up
activities or e-banking reviews conducted as part of a
comprehensive review of an institution's IT activities, examiners
should customize their e-banking coverage to avoid duplication of
topics covered in other examination programs.

This section of the booklet also includes discussion points
examiners can use as a reference when talking to management as they
are considering or implementing e-banking products and services and
a sample list of items to include in the request letter for each of
the objectives stated in the examination procedures.

Discussion Points for Examiners

Financial institutions frequently
contact examiners seeking guidance on things to consider when they
plan to offer or expand e-banking services. The following
discussion points are offered as a guide to assist examiners when
discussing e-banking plans and strategies with institution
management.

Strategic Plans -
Decisions on e-banking should be consistent with the financial
institution's strategic and operating business plans. Any decision
to offer or expand e-banking services should consider customer
demand for the services, competitive issues, and the risks in the
technology. The institution should periodically evaluate the
success of its e-banking strategy and make changes as
appropriate.

Impact on Earnings and
Capital - Financial institution management should have
realistic projections of the expected impact of e-banking on
earnings and capital. If management projects a significant impact
then profitability plans should address pricing and marketing
expenses. If management projects rapid growth in loans or deposits,
then plans should address the impact on liquidity, asset quality,
and capital adequacy.

E-Banking Software and Service
Provider Selection - Financial institutions should provide
an appropriate level of due diligence in selecting third-party
providers or developing systems in-house. User departments should
be involved in the selection process since they will work with the
system on a daily basis once it is operational.

Internal Controls and
Audit - The institution's board and management should
ensure that internal control and audit processes are adequate to
enable the identification, measurement, and monitoring of the risks
associated with e-banking. Management should attempt to quantify
increased expenses and losses due to internal control-related
weaknesses and fraud.

Legal Requirements -
Management should research and understand various legal
requirements, including compliance issues, as part of the e-banking
decision process. Many legal issues are evolving and will require
management to monitor developments.

Vendor Management -
Research of outsourcing arrangements should include consideration
of potential vendors' financial condition, reputation and
expertise, years in business, history of service interruptions and
recoveries, and future business plans. Selection should also
consider the ability to agree on a contract that clearly defines
responsibility for maintaining and sharing information and any
resulting liability for its unauthorized use or disclosure.

Business Continuity
Planning - Whether provided by the financial institution
or a third party, management should plan for recovery of critical
e-banking technology and business functions and develop alternate
operating processes for use during service disruptions.

Insurance - A review
of insurance coverage may be in order to determine if existing
policies specifically cover or exclude activities conducted over
open networks like the Internet.

Expertise - The
financial institution should ensure it has the proper level of
expertise to make business decisions regarding e-banking and
network security. The board of directors and senior management may
need to enhance their understanding of technology issues. If such
expertise is not available in-house, the institution should
consider engaging outside expertise.

General Procedures

Objective 1: Determine the scope for the examination
of the institution's e-banking activities consistent with the
nature and complexity of the institution's operations.
spacer

1. Review the following documents to identify previously
noted issues related to the e-banking area that require
follow-up:

Findings from GLBA security and control tests and annual GLBA
reports to the board.

7. Review network schematic to identify the location of
major e-banking components. Document the location and the entity
responsible for development, operation, and support of each of the
major system components.

8. Review the institution's e-banking site(s) to gain a
general understanding of the scope of e-banking activities and the
website's organization, structure, and operability.

9. Discuss with management recent and planned changes in:

The types of products and services offered;

Marketing or pricing strategies;

Network structure;

Risk management processes, including monitoring
techniques;

Policies, processes, personnel, or controls, including
strategies for intrusion responses or business continuity
planning;

Service providers or other technology vendors; and

The scope of independent reviews or the individuals or entities
conducting them.

10. Based on the findings from the previous steps, determine the
scope of the e-banking review. Discuss, as appropriate, with the
examiner or office responsible for supervisory oversight of the
institution.

Select from among the following examination objectives and
procedures those that are appropriate to the examination's scope.
When more in-depth coverage of an area is warranted, examiners
should select procedures from other booklets of the IT Handbook as
necessary (e.g., "Information Security Booklet," "Retail Payments
Systems Booklet," etc.). For more complex e-banking environments,
examiners may need to integrate IT coverage with business
line-specific coverage. In those cases, examiners should consult
other subject matter experts and consider inclusion of the member
agency's expanded procedures (e.g., compliance, retail lending,
fiduciary/asset management, etc.).

BOARD AND MANAGEMENT OVERSIGHT

Objective 2: Determine the adequacy of board and
management oversight of e-banking activities with respect to
strategy, planning, management reporting, and audit.

Management's evaluation of security risks, threats, and
vulnerabilities is realistic and consistent with institution's risk
profile;

Management's knowledge of federal and state laws and
regulations as they pertain to e-banking is adequate;
and

A process exists to periodically evaluate the institution's
e-banking product mix and marketing successes and link those
findings to its planning process.

2. Determine whether e-banking guidance and risk considerations
have been incorporated into the institution's operating policies to
an extent appropriate for the size of the financial institution and
the nature and scope of its e-banking activities. Consider whether
the institution's policies and practices:

Include e-banking issues in the institution's processes and
responsibilities for identifying, measuring, monitoring, and
controlling risks;

Include e-banking considerations in the institution's written
privacy policy; and

Require the board of directors to periodically review and
approve updated policies and procedures related to e-banking.

3. Assess the level of oversight by the board and management in
ensuring that planning and monitoring are sufficiently robust to
address heightened risks inherent in e-banking products and
services. Consider whether:

The board reviews, approves, and monitors e-banking
technology-related projects that may have a significant impact on
the financial institution's risk profile;

The board ensures appropriate programs are in place to oversee
security, recovery, and third-party providers of critical e-banking
products and services;

Senior management evaluates whether technologies and products
are in line with the financial institution's strategic goals and
meet market needs;

Unauthorized penetrations of e-banking system or network, both
actual and attempted;

Losses due to fraud or processing/balancing errors; and

Credit performance and profitability of accounts originated
through e-banking channels.

5. Determine whether audit coverage of e-banking activities is
appropriate for the type of services offered and the level of risk
assumed. Consider the frequency of e-banking reviews, the adequacy
of audit expertise relative to the complexity of e-banking
activities, the extent of functions outsourced to third-party
providers. The audit scope should include:

Strategic and business plans are consistent with outsourcing
activity, and

Vendor information was gathered and analyzed prior to signing
the contract, and the analysis considered the following:
Vendor reputation;
Financial condition;
Costs for development, maintenance, and
support;
Internal controls and recovery processes;
and
Ability to provide required monitoring
reports.

2. Determine whether the institution has reviewed vendor
contracts to ensure that the responsibilities of each party are
appropriately identified. Consider the following provisions if
applicable:

Description of the work performed or service provided;

Basis for costs, description of additional fees, and details on
how prices may change over the term of the contract;

Limitations over subcontracting (i.e., prohibition or
notification prior to engaging a subcontractor for data processing,
software development, or ancillary services supporting the
contracted service to the institution);

Termination rights without excessive fees, including the return
of data in a machine-readable format in a timely manner;

Financial institution ownership of the data;

Covenants dealing with the choice of law (United States or
foreign nation); and

Rights of federal regulators to examine the services, including
processing and support conducted from a foreign nation.

1. Determine whether the institution's written
security program for customer information required by GLBA
guidelines includes e-banking products and services.

2. Discuss the institution's e-banking environment with
management as applicable. Based on this discussion, evaluate
whether the examination scope should be expanded to include
selected Tier II procedures from the IT Handbook's "Information
Security Booklet." Consider discussing the following topics:

Current knowledge of attackers and attack techniques;

Existence of up-to-date equipment and software
inventories;

Rapid response capability for newly discovered
vulnerabilities;

Network access controls over external connections;

Hardening of systems;

Malicious code prevention;

Rapid intrusion detection and response procedures;

Physical security of computing devices;

User enrollment, change, and termination procedures;

Authorized use policy;

Personnel training;

Independent testing; and

Service provider oversight.

3. Determine whether the security program includes
monitoring of systems and transactions and whether exceptions are
analyzed to identify and correct noncompliance with security
policies as appropriate. Consider whether the institution
adequately monitors the following:

Systems capacity and utilization;

The frequency and duration of service interruptions;

The volume and type of customer complaints, including time to
resolution;

Transaction volumes by type, number, and dollar
amount;

Security exceptions;

Unauthorized penetrations of e-banking system or network, both
actual and attempted (e.g., firewall and intrusion detection system
logs); and

E-banking losses due to fraud or errors.

4. Determine the adequacy of the institution's authentication
methods and need for multi-factor authentication relative to the
sensitivity of systems or transactions. Consider the following
processes:

Selection of password length and composition considering ease
of remembering, vulnerability to compromise, sensitivity of system
or information protected, and use as single- or multi-factor
authentication;

Restrictions on the use of automatic log-on features;

User lockout after a number of failed log-on attempts -
industry practice is generally no more than 3 to 5 incorrect
attempts;

Password expiration for sensitive internal or high-value
systems;

Users' ability to select and/or change their passwords;

Passwords disabled after a prolonged period of inactivity;

Secure process for password generation and distribution;

Termination of customer connections after a specified interval
of inactivity - industry practice is generally not more than 10 to
20 minutes;

Procedures for resetting passwords, including forced change at
next log-on after reset;

Disclosure of privacy policy - financial institutions are
encouraged, but not required, to disclose their privacy policies on
their websites - to include:
"Conspicuous" disclosure of the privacy
policy on the website in a manner that complies with the privacy
regulation and
Information on how to "opt out" of sharing
(if the institution shares information with third parties).

4. If the financial institution electronically delivers consumer
disclosures that are required to be provided in writing, assess the
institution's compliance with the E-Sign Act. Review to determine
whether:

The disclosures:
- Are clear and conspicuous;
- Inform the consumer of any right or option to receive the record
in paper or non-electronic form;
- Inform the consumer of the right to withdraw consent, including
any conditions, consequences, or fees associated with such
action;
- Inform consumers of the hardware and software needed to access
and retain the disclosure for their records; and
- Indicate whether the consent applies to only a particular
transaction or to identified categories of records.

The procedures the consumer uses to affirmatively consent to
electronic delivery reasonably demonstrate the consumer's ability
to access/view disclosures.

5. Determine whether e-banking support services are in place to
facilitate compliance efforts, including:

Effective customer support by the help desk, addressing:
- Complaint levels and resolution statistics,
- Performance relative to customer service level expectations,
and
- Review of complaints/problems for patterns or trends indicative
of processing deficiencies or security weaknesses.

7. If overview of e-banking compliance identifies
weaknesses in the institution's consideration and oversight of
compliance issues, consider expanding coverage to include more
detailed review using agency-specific compliance examination
procedures.

Significant control weaknesses or risks (note the root cause of
the deficiency, consequence of inaction or benefit of action,
management corrective action, the time frame for correction, and
the person responsible for corrective action);

Deviations from safety and soundness principles that may result
in financial or operational deterioration if not addressed;
or

6. Revise draft e-banking comments to reflect discussions
with management and finalize comments for inclusion in the report
of examination.

7. As applicable, according to your agency's
requirements/instructions, include written comments specifically
stating what the regulator should do in the future to effectively
supervise e-banking in this institution. Include supervisory
objectives, time frames, staffing, and workdays required.

8. Update the agency's information systems and applicable
report of examination schedules or tables as applicable.

E-Banking Request Letter Items

Objective 1 - Determine the scope for the
examination of the institution's e-banking activities consistent
with the nature and complexity of the institution's
operations.

An organization chart of e-banking personnel including the
name, title, and phone number of the e-banking examination
contact.

A list of URLs for all financial institution-affiliated
websites.

A list all e-banking platforms utilized and network diagrams
including servers, routers, firewalls, and supporting system
components.

A list of all e-banking related products and services including
transaction volume data on each if it is available.

A description of any changes in e-banking activities or future
e-banking plans since the last exam.

Descriptions of e-banking-related training provided to
employees including date, attendees, and topics.

Strategic plans or feasibility studies related to
e-banking.

Insurance policies covering e-banking activities such as
blanket bond, errors and omissions, and any riders relating to
e-banking.

Copies of recent management and board reports that measure or
analyze e-banking performance both strategically and technically,
such as percentage of customers using e-banking channels or system
capacity to maintain current and planned level of transactional
activity.

Policies for, or a description of, permissible cross-border
e-banking including types of products and services such as account
opening, account access, or funds transfer, and restrictions such
as geographic location, citizenship, etc.

Policies for, or a description of, the institution's due
diligence process for accepting cross-border business.